Blackmailers are threatening to infect your family with Coronavirus, trolls are making Zoom an unsafe place for those of a sensitive disposition, and what is the mysterious Dr Negrin audio message spreading on WhatsApp?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by technology journalist Geoff White.
Visit https://www.smashingsecurity.com/171 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Geoff White.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- "Stay home and help flatten the curve!" — Tweet by Pornhub.
- ‘Dirty little secret’ extortion email threatens to give your family coronavirus — Naked Security.
- Google Assistant calling the hairdresser for an appointment — YouTube.
- Geoff White tweets about the "Dr Negrin" audio message. — Twitter.
- Priest in Italy live streams mass, activates filters by mistake — Reddit.
- Beware of ‘ZoomBombing:’ screensharing filth to video calls — TechCrunch.
- ‘Zoombombing’: When Video Conferences Go Wrong — The New York Times.
- How to prevent your Zoom meetings being Zoom-bombed (gate-crashed) by trolls — ZDNet.
- Students Are Targeting Zoom and Classroom With Bad Reviews To End Homework During Coronavirus Outbreak — Newsweek.
- MS-DOS Games you can play in your browser — The Internet Archive.
- Humbug by Graham Cluley — The Internet Archive.
- A New Map of Wonders: A Journey in Search of Modern Marvels — Amazon.com.
- Revolution [8 Bit Tribute to The Beatles] — YouTube.
- 8 Bit Universe — YouTube.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GEOFF WHITE. A friend of mine described being stopped in Chelsea, of all places, by a guy driving a van who leant out the window and went, "Do you want to buy some loo roll?" That is actually happening on the streets of the UK.
ROBOT. Nudge, nudge, wink, wink. Smashing Security, Episode 171: WhatsApp Hoaxes, Zoom Bombs, and 8-Bit Love with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 171. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Hello, Carole.
CAROLE THERIAULT. I'm glad you're still with us, Clue.
GRAHAM CLULEY. Yeah, everything good in your world? Any problems?
GEOFF WHITE. Oh yeah.
GRAHAM CLULEY. Anything?
CAROLE THERIAULT. No. Hey, I decided to go on a vacation today, so actually went into the living room before the point in time. I've been moving knickknacks around just to kind of brighten it up, you know.
GRAHAM CLULEY. Brighten it up.
CAROLE THERIAULT. Give it a bit of zhuzh.
GRAHAM CLULEY. And we are joined this week. Thank you so much. We've got a special guest joining us. It's returning to the show, technology journalist Geoff White.
GEOFF WHITE. Hi, how you doing?
GRAHAM CLULEY. Well, you know.
CAROLE THERIAULT. Geoff, thanks for making the time.
GEOFF WHITE. Well, you know, diary's a bit clear at the moment for some reason. My invites for people to go to the pub, they're falling on deaf ears. So yeah, for some reason—
GRAHAM CLULEY. Because you almost weren't able to join us, were you? Because you had some— I think you had a speaking gig lined up for this week, which for some reason has fallen through.
GEOFF WHITE. Yes. So I just find myself with this sort of expanse of time in front of me, and then it doesn't help people tweeting that various historical figures, you know, inventors have invented amazing things with their time off, you know, people tweeting about this stuff. Putting the pressure on of like, not only do I have time off in front of me, but I'm now supposed to revolutionise the fucking world as well.
CAROLE THERIAULT. Yeah, do your job, Geoff!
GEOFF WHITE. Just sorting out the food cupboard took me the morning, I mean, you know. So I'm literally, I'm not kidding, my plan for this afternoon after this is to make mince pies because I've found some mincemeat that a friend gave us a while back and I'm like, Sod it, use everything up. We've got a panettone, we don't know what we're gonna do. We're gonna eat the panettone.
CAROLE THERIAULT. Bread and butter pudding, bread and butter pudding, delicious.
GEOFF WHITE. I've heard, I've heard that.
GRAHAM CLULEY. Okay, well, welcome to Carole and Geoff's cooking show.
CAROLE THERIAULT. Geoff, I'm up for it, I'm up for it.
GRAHAM CLULEY. Carole, what's coming up on the show this week?
CAROLE THERIAULT. First, thanks to this week's sponsor, LastPass. Its support helps us give you this show for free. Now, in today's show, Graham tells the tale of an unusual sextortion scam. Geoff tells us how the disease is spreading garbage on social media. And I'm gonna tell you what the bored trolls out there are up to. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, no one's listening. Don't worry, because no one's commuting any longer, right? So we can have a completely open conversation about things. Huddle, huddle, right? Huddle up. Right. Maybe we should share our dirty little secrets. If we have 1 or 2 or 3 or grow 38.
CAROLE THERIAULT. How long do you have?
GRAHAM CLULEY. Exactly.
GEOFF WHITE. Nobody prepared me for this bit. This is a new segment of the show.
GRAHAM CLULEY. So as we described last week, the people of Italy, Spain, and France, they have been given free access to a niche website called Pornhub Premium in order to ease the tedium of being locked in their homes to prevent the spread of the coronavirus.
CAROLE THERIAULT. I'm sure their kids love it.
GRAHAM CLULEY. And in fact, just a few hours before Just before we recorded this, I had someone who brought to my attention a tweet from Pornhub saying that they've actually decided to flatten the curve. So if you had a curve, they are going to help flatten it. They are saying they are making Pornhub Premium free worldwide until April 23rd. So you no longer—
CAROLE THERIAULT. This is hot off the presses, Graham.
GRAHAM CLULEY. This is hot off the press. You no longer have to install a VPN and pretend to be Italian.
CAROLE THERIAULT. Everyone in the world can apparently now let the ISP know exactly what kind of porn you like.
GEOFF WHITE. I got a text message from the government warning me to stay in. I mean, I didn't get a text message about this.
GRAHAM CLULEY. Exactly. I mean, come on. I really think if the government wants to cheer people up, this is an obvious way to do it. And people are a bit snobby about porn, aren't you, Carole? I think— I don't know, I'm just not, you know, Look, my argument is this: is self-isolating really as bad as we're making out? We're all having to do it at the moment.
CAROLE THERIAULT. Oh, sorry, in your lofty heights up in North Oxford, maybe things are really pretty cosy.
GEOFF WHITE. Surveying the grounds, you know.
CAROLE THERIAULT. Imagine the people that have like 8 kids.
GRAHAM CLULEY. I remember—
CAROLE THERIAULT. Tiny flats.
GRAHAM CLULEY. I remember my teenage years, and I pursued my solo pursuits in my bedroom for many, many minutes without feeling—
CAROLE THERIAULT. Geoff, I'm sorry, he's losing his mind.
GRAHAM CLULEY. Any empty— No, but I think I think it's possible to do this, right? Obviously it's inconvenient. Obviously it's disturbing if you're away from loved ones and if there are people you need to care for. I totally get that. And, you know, I think that's a topic we're just going to talk about.
CAROLE THERIAULT. There's a shortage on tissues, isn't there?
GEOFF WHITE. That was why there was the run on bog roll. A friend of mine described being stopped in Chelsea, of all places, by a guy driving a van who leant out the window and went, do you want to buy some loo roll? That is actually happening on the streets of the UK.
GRAHAM CLULEY. Nudge, nudge, wink, wink.
CAROLE THERIAULT. Can I interrupt, Graham, just for one second?
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. I know someone someone who has hoarded an enormous amount of loo roll. Well, I know a few actually. Should I report them to anyone?
GRAHAM CLULEY. Maybe you should break in.
GEOFF WHITE. Really?
GRAHAM CLULEY. Maybe you should raid it if you're after— are you after loo paper yourself?
CAROLE THERIAULT. No, no, I'm fine. I'm, uh, I'm, uh, dandy on that front. What? What?
GEOFF WHITE. How dandy? How dandy?
CAROLE THERIAULT. I have an alternative solution.
GEOFF WHITE. Oh, I have an alternative solution, and I don't think I don't want to ask.
GRAHAM CLULEY. Is it the neck of one of Her Majesty's swans?
GEOFF WHITE. Oh God.
CAROLE THERIAULT. I just think this is not a topic for radio.
GRAHAM CLULEY. No, I think we're going to have to edit out this entire—
CAROLE THERIAULT. Let's save it for video.
GEOFF WHITE. Oh God.
GRAHAM CLULEY. Anyway, Pornhub says that there's been a big perking up of its traffic. And, you know, I'm sure some people will, as a result of this, they'll be tempted by the offer and try it out online for the first time. This may be their first experience experience of online porn. So if you're an online porn virgin, this may be the time when you try it. Which means that if you subsequently receive an email claiming that someone knows your dirty little secret—
GEOFF WHITE. Mm, yes.
GRAHAM CLULEY. You might well be petrified. Just imagine it, right? There are going to be people who maybe aren't that internet savvy but have now been pushed onto the internet and are using it more simply because they feel a little bit isolated, and they might turn to a site like that for company. And then they receive The latest incarnation of a sextortion email. Friend of the show, Sophos' Paul Ducklin, is reporting that there is a new sextortion email doing the rounds, which has been spammed out to people, claiming to know every dirty little secret about your life. And to prove its point—
CAROLE THERIAULT. I was just gonna ask, good.
GRAHAM CLULEY. Yeah, prove its point, the email quotes one of your passwords. Now, that's something we've seen many times before, isn't it? What the scammers do is they take your password from a past breach, maybe like the LinkedIn breach from years ago, and then they quote it back at you and that—
CAROLE THERIAULT. Okay, so this is affecting people that are reusing passwords.
GRAHAM CLULEY. Well, even if they're not reusing passwords, you might recognize a password which you have used in the past.
GEOFF WHITE. It adds credibility, doesn't it, to the—
GRAHAM CLULEY. It really does.
GEOFF WHITE. The phish, as it were.
GRAHAM CLULEY. And it isn't hard for the criminals to find out your old passwords, but it can be really alarming, I think, for the typical user because they just think, well, how could they possibly know anything as secret as Mr. Tiddles.
CAROLE THERIAULT. Okay, so they're just blanketing, emailing tons of people, uh, and they've matched it to the passwords that they've pulled off some list somewhere.
GRAHAM CLULEY. That's right.
CAROLE THERIAULT. And say, I know you because you use catdogcatcat as your password, right?
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. And therefore, aha, I know everything about you. And I, hoping that I may be one of these Pornhub premium users, or whichever site, or whatever it is that you're doing online, right?
GRAHAM CLULEY. Because what they're saying is, if we know your passwords, then be aware that we probably know everything else about you. In fact, in Email, they say, we know all of your passwords. We know your whereabouts, what you eat. Not very much at the moment, quite frankly.
CAROLE THERIAULT. I think I'd reply and go, what?
GEOFF WHITE. What do I eat?
GRAHAM CLULEY. Who you talk to. That'd be easy for me and you, Carole. There's public evidence of that. Every little thing it says you do in a day.
CAROLE THERIAULT. Every little thing.
GEOFF WHITE. Yeah. Is magic.
GRAHAM CLULEY. isn't it?
GEOFF WHITE. No, no, no, no, no, no, no, no, no.
GRAHAM CLULEY. Oh, gotcha.
GEOFF WHITE. Sorry. I've stingwoled you, as it were.
CAROLE THERIAULT. You did?
GEOFF WHITE. See, I just find this. I just. I find it endlessly fascinating the extent to which cyber criminals react in this kind of symbiotic way to movements in society. You know, so pornhub offers free porn access to the premium site for people.
GRAHAM CLULEY. And.
GEOFF WHITE. And the cyber criminals are watching this and going, oh, okay, so what's our next move? There's this sort of dance that goes on. You know, that's very clever because obviously uptick in porn usage potentially, so you do an uptick in sextortion-type emails.
GRAHAM CLULEY. And it's incredible entrepreneurial spirit really, isn't it? They've seen an opportunity. If you're concerned about where the economy is going to be going over the next year or so, you know, worry not. There's plenty of imaginative people out there who are seeing opportunities and jumping on them. Unfortunately, it seems to be mostly the criminals at the moment who are doing it.
CAROLE THERIAULT. But this is the second week in a row that you've kind of gone, wow, aren't these guys amazing, these entrepreneurs?
GRAHAM CLULEY. Well, maybe it's time to change my career, Krill. Maybe it is.
CAROLE THERIAULT. Maybe it is.
GEOFF WHITE. Or maybe a new sponsor for the show. I'm just saying, you know, Magecart or whoever it is, you've got a lot of money, you know, brought to you by, you know, Ukrainian mobsters or the Filipino hacker groups or whatever. Come on, think outside the box.
GRAHAM CLULEY. I love that idea. I love that idea. So The email carries on. It says, "What am I capable of doing?" it asks itself rhetorically. And then it answers— she can't answer an email easy. It says, "If I want, I could infect your whole family with the coronavirus." What? Exactly. So what they're saying is, if you don't pay them $4,000 in bitcoin, they're claiming that they're going to come round, I don't know, cough on you?
CAROLE THERIAULT. I love the meeting that these guys would have had to create this email, right? We've got to get coronavirus in their Somewhere, Frank, it's gotta be there.
GEOFF WHITE. It's good for SEO, quick.
CAROLE THERIAULT. Yes, exactly.
GRAHAM CLULEY. But you know, if you think about it, it doesn't really make that much sense. If these guys are saying, look, we're going to come around and we're going to infect you with coronavirus, how exactly are they going to do that? Are they going to sneeze on you? Are they going to cough on you? Are they going to shake you by the hand and say, we've got you? It doesn't seem like a business model which is going to actually— yeah, going to work properly, because obviously if they've got coronavirus, there's going to be a limited amount of time as they're coming up the hill towards me, they're going to get out of breath and think I need to go to the hospital.
GEOFF WHITE. I do love the idea one day of just getting a box through the post and it's addressed to you and you open the box up and there's just a sneeze inside it.
CAROLE THERIAULT. Achoo!
GEOFF WHITE. Ah, gotcha.
GRAHAM CLULEY. There is that website, isn't there, where you can send people— is it human shit or is it dog shit? There is, there is, there is.
GEOFF WHITE. What is your— what is your history like?
CAROLE THERIAULT. You're browsing with new levels of boredom.
GEOFF WHITE. But wow. Gosh. PosterShits.com.
CAROLE THERIAULT. Yeah, pretty soon it's gonna be like RaiderPoo.com.
GRAHAM CLULEY. I can't remember the URL, but there is a— I haven't ever bought anything from it.
CAROLE THERIAULT. Oh, here he comes.
GRAHAM CLULEY. I'm not a supplier to it or something like that, although that would be another source of income, I suppose. So obviously pretty nasty threats which are going on here, but just like all the other ones where they typically say, we're going to send sexy photographs of you to your friends and family or workers, or we've taken video of you, It's all nonsense. So don't pay, don't reply to the message, Carole, don't panic, obviously.
CAROLE THERIAULT. I don't know if any— I don't think any listener of ours would have fallen for this.
GRAHAM CLULEY. No, but what we want, Carole, is we want people to spread the word, right? Just like they can spread germs and spread viruses, we need people to actually spread the message.
CAROLE THERIAULT. Oh Christ, is this a new post-apocalyptic way of talking? Everything has come back to—
GRAHAM CLULEY. This is what we need to do. Because we're stuck in our homes, we can now speak to our partners or our children and say, I've found an excellent podcast, you know, even though I don't get to go take the dog for a walk any longer to listen to it or go commuting. Maybe we can all sit down, listen together, and we'll learn something about being safer online.
CAROLE THERIAULT. Better remember to bleep the swear words. I'm not sure this is the episode to start with.
GRAHAM CLULEY. That was all Geoff's fault, to be honest. Oh, fuck off.
CAROLE THERIAULT. I know, perfect. Geoff, what's your story for us this week?
GEOFF WHITE. Obviously, I've been getting quite interested in scammers like the ones that you've talked about, but also fake news being disseminated on social media. Because inevitably, just as you've described, the cybercriminals and the sextortionists have gone into action, the fake news merchants have done the same. And I find it absolutely fascinating how this has worked. I mean, for a start, social media companies, they're going to have grown. I mean, the amount of WhatsApp traffic, the amount of Facebook traffic. I was looking around, I couldn't find very recent figures for Facebook. But Twitter have announced today some figures, they reckon quarter to date, so last 3 months, their monthly active users went up 23%.
GRAHAM CLULEY. Really?
GEOFF WHITE. Wow. And they're saying, I mean, inevitably, most of that's going to be Donald Trump, coronavirus, isn't it? But it's interesting. So what they're also saying, they reckon their revenue is going to go down, Twitter, because advertisers are reining in their budgets, they don't know what to do. So on the one hand, these companies have got loads and loads of eyeballs. On the other hand, that would normally drive a huge amount of advertising, but the advertisers are pulling their necks in. So there is this interesting sort of push-me-pull-you thing.
GRAHAM CLULEY. Right.
GEOFF WHITE. I also wonder, I mean, people may remember shortly before coronavirus took over the entire world's news, we were talking about the sort of tech lash, about the criticisms of people like WhatsApp and Facebook and Twitter and the attempts to kind of rein in these companies. And I just wonder, after this, will those companies be able to turn around and as part of the lobbying campaign say, well, hang on, when you needed us, when there's an emergency, we were hugely important. Yeah, there was all these WhatsApp groups for kind of local mutual aid groups and stuff being set up. So I wonder how that will play into the discussion longer term.
GRAHAM CLULEY. Certainly I'm not on Facebook and I don't use WhatsApp, but in my wife's circle of friends, they all seem to be on it at the moment and sharing information. Yeah, and also other things as well. For instance, there's a chap who did some sort of exercise video, I think every morning he's doing it, and all the mums at the school are doing it with their kids.
CAROLE THERIAULT. And you know what, we should put that in the show notes for our international audience.
GRAHAM CLULEY. So it's called Joe Wicks.
CAROLE THERIAULT. It was like a UK-wide PE half hour that's going every day. So it's on YouTube so everyone can watch it.
GEOFF WHITE. It is. I mean, it's interesting so that in a way, because we're able to communicate over line, because social media does exist, it is slightly easier to cope with all this stuff. I mean, can you imagine doing this without the internet? Trying to stay indoors for 3 weeks without the internet? Yeah, quite difficult. But of course, as everything's a flip side to this, the flip side, of course, is the amount of disinformation being spread on social media. And also the company's attempts to try and crack down on that. So I've had friends and colleagues who've posted stuff on Facebook that is sort of controversial, but, you know, it is true, it's fair comment, and it's been deleted by Facebook, because Facebook's algorithms are going nuts. I mean, how do you interpret what's correct coronavirus information, what isn't? It's not always easy.
GRAHAM CLULEY. Also regarding that, one of the things I heard is that they're making use more of their algorithms than human intervention, because of course they don't necessarily have as many people able to actually monitor and moderate those sort of things. So they are more reliant on the algorithms, which may make mistakes.
GEOFF WHITE. Yeah, yeah. I imagine in a case like this, yeah, the algorithms are cranked up. I mean, a human moderator has a limit to how much they can do in terms of the number of hours they can work. Obviously, an algorithm, once you've trained it, if you keep training it, you can just throw more material at it. So in a way, you've got more bandwidth you can use with your algorithmically based filterings than you can with the humans.
CAROLE THERIAULT. But we'll all be suffering a bit with the false positives that happen.
GEOFF WHITE. Exactly, yeah. So normally you would try and throw as much as you could towards the human moderators. So the one I've been looking into, there's an audio recording that's been going around, read out by a woman with a— it sounds a bit like an Australian accent, but it might also be South African, an Antipodean twang, this lady's accent. And she reads out what she claims is information that she's got from a hospital in the Canary Islands. Hi guys, just wanted to pass on this information. It was sent to me by a colleague who has a friend that works at Dr. Negri, which is the main hospital on our island. It's obviously in Spanish, so I'm just gonna read it and translate it for you. This is what it says. The Chinese now understand— And she goes on to give advice about, you know, what you can do. Now, some of the advice is quite sensible advice about drinking fluids and all that kind of thing. Some of it isn't actually that sensible advice. And particularly the whole point is, this is what you can do to either treat or avoid coronavirus. And from that context, this stuff is dangerously misleading, because it talks about if you drink hot drinks, 'You wash the virus into your stomach where the stomach acids will destroy the virus.' And even though I'm not a medical professional, I'm pretty sure that's bollocks.
CAROLE THERIAULT. Yeah, but if you didn't know anything, it could sound vaguely common sensey. Someone might go, 'Yes, of course I have stomach acid. I have acid reflux all the time.
GEOFF WHITE. Makes perfect sense.' And that's the thing. It's not out-and-out crazy, like drink hydrogen peroxide or bleach or whatever to, you know— So it's not harmful advice. It's not going to harm you. It's just it's not going to do anything for coronavirus. But what I find fascinating about this is A, it's spreading. I've had loads of friends, loads of family, loads of colleagues who've had this. And by the way, I am trying to track this. So if any listeners have heard this, get in touch with me on Twitter. I'm @geoffwhite247 on Twitter, because I'm interested in the earliest cases. The earliest example I can see was from Friday, 20th of March, so last Friday as this is being broadcast, at about 3 in the afternoon. Any earlier than that, let me know, because I'd be really interested. I'm desperately keen to see if I can try and trace this back. Because it's not like the sort of copy and paste scams where you copy and paste the text.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Yeah.
GEOFF WHITE. Somebody's recorded— this is a single recording that's come from somebody, or somebody maybe voice-synched it, but it's a single artifact that's spreading and spreading like wildfire.
CAROLE THERIAULT. It could be just a deepfake voice.
GEOFF WHITE. Could be, could be, but somebody's made the recording.
CAROLE THERIAULT. So yeah, someone's created it, right?
GRAHAM CLULEY. It sounds like a regular voice to me when I heard it.
CAROLE THERIAULT. Oh, I didn't know you were an expert in those things.
ROBOT. Well, no, it just doesn't sound like Smashing Security, Episode 100.
GEOFF WHITE. Like the anonymous ones. We are anonymous. It's interesting, when I listened to it, you know the ums? There were ums and ahs in this recording, and it did make me think of that Google experiment where they— do you remember that one where Google's AI phoned up a hair salon, booked an appointment, and it had ums and ahs in the voice?
CAROLE THERIAULT. What's happening out there? Hi, I'm calling to book a woman's haircut for a client.
GRAHAM CLULEY. I'm looking for something on May 3rd.
CAROLE THERIAULT. Sure, give me one second.
GEOFF WHITE. Mm-hmm.
CAROLE THERIAULT. Sure, what time are you looking for around? Do you have anything between 10 AM and—
GEOFF WHITE. Because this is an audio file, I think it's harder for the platforms to spot, because text you can analyze fairly easily algorithmically. Video, I know YouTube have a whole thing which spots videos as it comes through to spot copyright infringement. But an audio file, I guess there's technology out there that can listen to audio files, but it strikes me that you're far more likely to succeed spreading audio spam in a way, and audio recording spam, than you are text or video, I think. Do you reckon? I mean, that's my sort of sense for it.
GRAHAM CLULEY. There's probably been less requirement for the technology companies to block audio— let's call it audio spam. Yeah. For want of a better word, there's probably been less requirement of it where normally it is text or it will be an image or something like that. So I think you're probably right. And what a curious thing that this whole advice was initially spread via audio as well rather than as a JPEG or something.
GEOFF WHITE. It's interesting. The advice she goes on to give is, I think, something like 10 points of advice. Those points of advice are available as text. So people have been posting saying, okay, here's what you do, here's the 10 steps to avoid coronavirus or whatever. But the interesting thing is, I can't find any mentions of those specific points before the audio file starts. So I don't think the audio file is a recording of something that would have been going around. I think this has come from the audio file. But the other thing is, two weird things about this. Number one, the stuff you've described, Graham, has a clear result. £4,000 or dollars in bitcoin for the spam.
CAROLE THERIAULT. Yeah.
GEOFF WHITE. You know, a lot of these sites that get set up, it's like, click to subscribe to our newsletter so we can give you updates, you know, important health updates. And then they get the email address, you know. With this, I can't see any gain or benefit. I can't see any results. It's— they're not asking you for money. There's no—
CAROLE THERIAULT. it's disruption though. It's causing disruption.
GEOFF WHITE. It exactly so. But, but the only motivation I can see for doing that is, is just the causing of disruption itself, which in a way makes it even more evil. Like, if you're making money, fine, but if you're just doing this just to spread— for no other purpose, just to spread this information—
GRAHAM CLULEY. I'm not as much of a conspiracy theorist about this kind of thing. I think it's more likely that it's just someone speaking nonsense thinking that they're helping people. And it may have been that initially they made a video and the social networks were blocking the video, maybe even, you know, took it off YouTube or whatever. But someone who liked it made an audio recording of it and thought, we'll share this because the social networks may not block it, but they were blocking the video. I wonder if— Possible. So, so it could have just been someone who thought, I've got some really good tips for people and they're completely and utterly misguided, or at least partially misguided, with some of those tips?
GEOFF WHITE. There's two things I'd say to that in response. The idea that this is somebody just sort of, you know, putting out what they think is some advice— well, what the audio recording says is that they've had information from inside a hospital in the Canary Islands. So whoever's recorded this isn't just saying, well, here's what I think. They're claiming to have got health advice. And obviously it's not— no hospital in the world is giving out the advice that they're giving. So it's somebody who's deliberately trying to give this the veneer of respectability and credibility. So I do think that's quite a cynical attempt to kind of get this out there. Secondly, the idea that this was a video first and then got taken down and made an audio file, I can't find— I mean, literally, this thing explodes on the 21st of March, Saturday, 21st of March. I think it started in the days before, but I can find hide nor hair, not a video mention, not an audio mention, not a text mention before those dates. It really takes off, I think, from Friday the 20th.
GRAHAM CLULEY. Well, okay, we've got 20,000, 25,000 people who are going to listen to this podcast over the next couple of weeks. We could— as they've got nothing else to do, quite frankly— if you've got any information at all about this, about this audio file, we want you to contact, well, either us, or please contact Geoff directly on Twitter @GeoffWhite247 and tell him what you know.
CAROLE THERIAULT. Yes, make sure he answers you right away, because he claims to work 24/7.
GEOFF WHITE. I never sleep. So anyway, no, I just find it, as I say, I find it fascinating. It feels very different. And I'm just intrigued to see how far I can track this one back. Mm.
GRAHAM CLULEY. Krowl, what have you got for us this week?
CAROLE THERIAULT. Well, I wanted to ask Geoff before I started my story a question. Is there a public figure or a persona that you really loathe? Like, it doesn't even have to be for a serious reason, but someone you just can't stand.
GEOFF WHITE. Piers Morgan. I know it's a classic one, but I do— Michael Gove just winds me up.
CAROLE THERIAULT. Oh yes, yes, he has a little, yeah, weasely little—
GEOFF WHITE. okay, seriously, I did once comb Michael Gove's hair. That's my claim to fame.
CAROLE THERIAULT. Okay, I'm going to circle back on that in the story later on. Okay, so it turns out that not everyone is feeling the pinch, right? Actually, it's not really a pinch that most of us are feeling, it's more like a steel-toe boot kick in the proverbial ballsack.
GRAHAM CLULEY. Is your ballsack proverbial, Cruel?
CAROLE THERIAULT. Very much so. However, some people are quids in. Zoom, the video conferencing app, is one of these guys.
GEOFF WHITE. Oh yeah.
CAROLE THERIAULT. On Sunday, nearly 600,000 people downloaded the app. Its biggest day ever.
GRAHAM CLULEY. Wow.
CAROLE THERIAULT. And this is all because of the outbreak. Zoom has added 2.2 million new users this year. That's more in 3 months than that they added in all of 2019.
GRAHAM CLULEY. Wow.
CAROLE THERIAULT. So Zoom, just for those that don't know, Zoom is like any video conferencing chat app, but I think what makes it special is it lets you connect with a much bigger group, like 20, 30, 100, something like that. You guys must have used it.
GRAHAM CLULEY. Oh, really? You can conference with up to 100 people on Zoom?
CAROLE THERIAULT. I think so, yeah.
GRAHAM CLULEY. That sounds hellish.
CAROLE THERIAULT. No, but that's why it's really good for like big classrooms. So classrooms are using it and meetings are using it because lots of people can get on and use it at the same time.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. So last night was our monthly book club, right? Which was our very first digital meeting. My other half set up Zoom for the group. Most of the group is an older generation and most of them have used Zoom before, but nothing else. So we thought that was the easiest thing thing to do, but gee, it was like a comedy sketch, right? It took like 10 minutes to get all the tech going, and it's like they're leaning into the pictures, and it's like, "Hello, hello, hi Frank, hi," and all this. And then at one point, one of our most sprightly 7-year-old members inadvertently turned on screen sharing, so we were all just insane. "Can you hear me in East Oxford?" Did you guys read about the priest who streamed his sermon in Italy but actually turned on the cutesy-wootsy filters without noticing?
GRAHAM CLULEY. Oh really?
CAROLE THERIAULT. Look, I sent a link. I sent a link. Check it.
GEOFF WHITE. Check it.
CAROLE THERIAULT. It's in the file.
GRAHAM CLULEY. Oh, for goodness' sake. I can't believe this. She's Rickrolled us.
CAROLE THERIAULT. Okay, no, I just had to get it in somewhere for him. It's been a while. Okay, here's the real link.
GRAHAM CLULEY. Here's the real link.
CAROLE THERIAULT. There you go.
GRAHAM CLULEY. So juvenile.
CAROLE THERIAULT. The priest is trying to set up the monitor and he's trying to get the angle right. And he thinks he's got it.
GRAHAM CLULEY. Oh, there's some— Right. So yes, there's sort of— There's like snow and things, which, and sparkles.
CAROLE THERIAULT. Just wait till he pulls back.
GRAHAM CLULEY. He appears to have some sort of mafioso hat on now and dark glasses. That's quite good for an Italian priest.
CAROLE THERIAULT. So we're all kind of trying to get around this, right? Figuring out how to do all this remote conferencing.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. And with overnight success like Zoom is experiencing comes a few not so welcome things. One is the tech support nightmare that they must be facing. I can just see from my book club that, you know, that the number of people that needed support. So I'm sure whilst they ramp up sales at a huge incline, they're probably behind on the tech support. And that must lead to lots of frustration for people. But the other problem that they face is online wise asses.
GRAHAM CLULEY. Whydasses?
CAROLE THERIAULT. Huh?
GRAHAM CLULEY. Whydasses? What are you talking about?
CAROLE THERIAULT. Online wise asses.
GRAHAM CLULEY. Sorry, no, I'm with you. I'm with you. I wasn't familiar with your vernacular.
CAROLE THERIAULT. Right, it's only been 20 years.
GEOFF WHITE. I think it's arse in the UK. Wise arse.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. So these online wise arses, perhaps bored, trapped with a very powerful computer, and they've already found a way to disrupt all this remote working. And it's called Zoom bombing.
GRAHAM CLULEY. What?
CAROLE THERIAULT. It's a great name, right? Whoever comes up with this name, it has to be good because it's going to help people share it if they like the name.
GEOFF WHITE. Zoom bombing.
CAROLE THERIAULT. So, Zoom bombing. So, okay, let's imagine you two are having a digital tea party, okay? Complete with Bakewell tarts. And what's that pink and yellow checkerboard cake thingy?
GEOFF WHITE. Battenberg.
CAROLE THERIAULT. Battenberg.
GEOFF WHITE. King of cake, right?
CAROLE THERIAULT. Yeah, king of cake. Okay, so you guys are sitting there with your tea and your cakes, right? And you're complimenting each other's sense of style. And suddenly Piers Morgan, Michael Gove drop in on the call uninvited.
GRAHAM CLULEY. Oh my God, that would be horrific.
CAROLE THERIAULT. I know, you'd probably spill tea everywhere.
GRAHAM CLULEY. Oh, I'd vomit.
CAROLE THERIAULT. Well, now, if Piers or Michael Gove were actually like the trolls that have been disrupting Zoom's smooth ride to the top heights of the App Store, they would probably have interrupted your virtual tea party and project graphic content to all the participants. So on Tuesday, Chipotle, the company, was forced to end a public Zoom chat after one participant began broadcasting porn to hundreds of attendees.
GEOFF WHITE. Oh, so they join Zoom chats that are kind of open to the public, so kind of anybody can sort of—
CAROLE THERIAULT. Yes, because look, this is a public Zoom chat, right? So the idea that public can come in and ask questions to the musician and ask Chipotle about their brand new sandwich and whatever.
GRAHAM CLULEY. French cheese.
GEOFF WHITE. I'll show you a sandwich. It's a foot long.
GRAHAM CLULEY. Sorry. Is that a baguette, or are you pleased to see me?
GEOFF WHITE. No ma'am. Sorry.
GRAHAM CLULEY. Stop it, right? Behave, behave. Carole's trying to tell a story here.
CAROLE THERIAULT. Yes. Chipotle are not the only people to have suffered this. Kara Swisher of popular tech pod Recode And Jessica Lessons were hosting a Zoom event focused on the challenges of women tech founders. And they were forced to abruptly end the event after just 15 minutes of conversation because the participant began broadcasting 2 Girls 1 Cup.
GEOFF WHITE. Oh, God.
CAROLE THERIAULT. I don't know, maybe one of you guys can explain what that is to our audience.
GRAHAM CLULEY. I've never seen it.
GEOFF WHITE. I haven't either. No.
GRAHAM CLULEY. I've heard of it.
GEOFF WHITE. I've read descriptions of it. It's not fun. Yes.
CAROLE THERIAULT. Let's just say it comes back to our poop theme, shall we?
GEOFF WHITE. That's all I'm gonna say. You don't get that in Chipotle. That's all I'll say. That's not— No matter how few cups they have, you'll never— oh wow. But it's interesting, I mean, basically what you're doing is you're setting up a kind of a—
CAROLE THERIAULT. Kind of community-driven chat.
GRAHAM CLULEY. Yeah.
GEOFF WHITE. So inevitably, if you just make it available to everybody, you've got to have somebody sort of monitoring each person's input to it.
GRAHAM CLULEY. Yes, yep, of course. You can't let the great unwashed public loose on the internet because they're going to cause this kind of mischief, aren't they? So all the 14-year-old boys are going to think, oh, I know what would be really fun.
CAROLE THERIAULT. You know, so they tried to kick the person out out, right, in a lot of these cases. But attempts to block the attack were thwarted because they would just simply reenter under a new name.
GEOFF WHITE. Yes, yeah, yeah, yeah.
CAROLE THERIAULT. And then share more grossy clips. And these hosts in all these instances that I read about had to end the call.
GEOFF WHITE. So you can't block by IP address on Zoom, presumably, or?
CAROLE THERIAULT. Yeah, so I wanted to like, how, why is this happening, right? So I was like, oh, it's a public call. OK, so there's these default settings that allow any meeting participant to share their screen. 'Without permission from the event's host.' That is a big problem, I think. You know, surely you should have the event host person say, 'Yes, I approve.' You know, Piers Morgan, you can show whatever you want to show us.
GRAHAM CLULEY. Well, maybe what they, maybe what they should have is some way of people registering a user account with Zoom, but you can only actually share your screen after you've had an account for an hour or something like that, or a couple of days.
CAROLE THERIAULT. Yes, that would— yes, that's a nice way around it. You just delay the joy.
GRAHAM CLULEY. Yeah, it's slightly inconvenient if you know, if it's the first time and you wanted to join a conversation, but it's not, you know, disastrous.
GEOFF WHITE. The one we were doing the other day, so we had a multiple Zoom thing and there was my picture of myself was in the middle in the large frame and then there were tiny little frames across the top of the other people. In order to have somebody share their screen and have it be the main picture, as it were, I don't understand who controls that. Surely somebody can't just go, well, I want to be the main picture that everybody sees. Do you see what I mean?
CAROLE THERIAULT. They start playing like heavy trash metal.
GEOFF WHITE. Why? They start being the main event.
GRAHAM CLULEY. Yeah, but if you've got 100 people on the call crawl, there's going to be more than one person talking, surely. These calls must be chaos.
CAROLE THERIAULT. I'm going to tell people how they can keep gatecrashers out of their party. You can set up your Zoom to not allow any audience member to join the meeting before you do the host. Right? So you, in Zoom, there's an option called join before host. Just make sure that's not on. Enable play sound when participants join or leave. It does create more noise, but it also could alert you to the arrival of trolls. And this is a good one, is disable file transfer and disable desktop screen share for users. So that means your audience that come in can listen and see what you do, but they can't take over the screen. So like you were saying, doing earlier.
GEOFF WHITE. Yes, that's a good idea. Yes, that seems to be a key button to press, that one, doesn't it? Yeah.
GRAHAM CLULEY. Ah, so maybe only their webcam gets— is visible, but they can't share whatever porn they've got on their website or something like that. I mean, that would be—
GEOFF WHITE. You could just hold up your mobile phone to your webcam with stuff on your mobile phone.
GRAHAM CLULEY. I suppose.
GEOFF WHITE. That's gross on it. I mean, that is a feasible workaround. Not that I'm trying to advise trolls on how you can work around this or anything, but—
GRAHAM CLULEY. Yes, you've thought about this, Geoff. Good.
CAROLE THERIAULT. The last thing is to disable allow removed participants to rejoin. So booted-out attendees can't slip back in, but again, they just can get a new username. Anyways, using Zoom is good, but be wary. Everyone else is jumping on the Zoom bandwagon, so don't expect excellent tech support for a while. And make sure you set it up properly if you're going to use it so you don't get Zoom-bombed.
GRAHAM CLULEY. It's not just Zoom, actually, because of course there's lots of Students at the moment working from home. My lad is beavering away, allegedly, at his classwork on Google Classroom and also Zoom. Apparently students are actually giving bad reviews to a lot of these apps which are used for homeschooling in the hope of disrupting their own homework. So what they're giving bad reviews on the app stores because they think if they give enough bad reviews to Zoom and Google Classroom and others, they'll get kicked out. Of the app stores by the algorithm. So if you look right now in the app stores at some of these apps, they've all suddenly got this slew of one-star reviews from all the kids who are fed up with them.
CAROLE THERIAULT. That's just delicious. So many of us now are realizing that moving to a fully work-from-home environment isn't always easy, but LastPass is here to make that transition easier, all without decreasing security. LastPass LastPass ensures your employees have secure access to their work applications and provides remote employees the ability to securely share passwords across teams in order to stay on top of critical projects. If you want to learn more, visit lastpass.com/smashing.
GEOFF WHITE. On with the show.
GRAHAM CLULEY. And welcome back, and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
GEOFF WHITE. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
CAROLE THERIAULT. Should not be.
GRAHAM CLULEY. Well, my Pick of the Week this week is not security related because I reckon that you need some entertainment while you are quarantined. And if the niche websites which we've mentioned in today's episode aren't quite good enough for you, then maybe you should go to the Internet Archive because They have a collection of around about 7,000 classic MS-DOS games from the era before Windows, and you can play them inside your browser.
CAROLE THERIAULT. Oh, cool! I'm gonna guess your game's there. That's why we're bringing this up, isn't it?
GRAHAM CLULEY. Well, actually, Carole—
GEOFF WHITE. Have you got a game, Graham? What's that?
GRAHAM CLULEY. I did— Oh, did I never mention it? I did used to write computer games back when I was a student, and so I I did find SimCity. I didn't write that one. I found the likes of Xenon 2: Mega Blast, which I have to say, emulated is just as good as Xenon 2: Mega Blast is. Leisure Suit Larry is just as rubbish. But I also did search for some of my games. There's one or two of them up there. If you were to look for the game Humbug, if you like a classic text adventure game—
CAROLE THERIAULT. You still mail out the maps if they give you 10 pounds.
GRAHAM CLULEY. No, no, no, you can't write to me any longer. It's all been released into the public domain now. —but go and check out Humbug. Anyway, it's really fun, and if you want to show kids how rubbish games used to be, they'll think they're rubbish. They're actually not rubbish. These are brilliant games, but you might be surprised.
CAROLE THERIAULT. How could they think it's rubbish when they play— what's that thing they play? Minecraft.
GRAHAM CLULEY. Minecraft, Fortnite, all those sort of things. Overwatch. Yeah, they play all of those, don't they? But, you know, a lot of these games actually have incredible playability. For your generation. For my generation, yes, for the over-50s. Maybe you'll enjoy it. So I'll put a link in the show notes to this fabulous collection of old MS-DOS games. Excellent. Geoff, what's your pick of the week?
GEOFF WHITE. My pick of the week is a book, printed matter book. Oh, I've got a stack of books actually that my wife's got me that I'm making my way through very slowly. This is called A New Map of Wonders. It's by a guy called Caspar Henderson. And it's a book about wonder. And a lot of it's about science and nature and physics and chemistry and biology wonder. I hated this book at first because the intro is all about, oh, what, you know, wonder, what a wonderful world we live in and we've forgotten a wonder. And I just thought, oh, it's just bollocks. But then I started reading it and it has the most amazing stuff in it, which obviously to scientists is going to be old news, but to me it was revelatory. And then just one bit I'm just going to talk about, which is just— this is totally astonishing. So you may or may not know that your muscles are powered by a thing called ATP. No, I didn't know that. No, this is adenosine triphosphate.
GRAHAM CLULEY. Oh yes, I knew that.
GEOFF WHITE. Yes, yes, yes. When your muscles contract, they have to attach to each other to contract. The muscle strands attach, and to attach they have to bind using a phosphate molecule. Okay. So adenosine triphosphate is the thing they use for this, and obviously lose a phosphate molecule, so it becomes adenosine diphosphate, ADP. So to keep your muscles working, somehow you've got to take ADP and add a phosphate molecule to replenish your energy. How you do this is inside your cells, you have mitochondria, which is the bit of your cell that does the energy using. Inside the mitochondria is a water wheel. Not like— I'm not using that as an analogy or a metaphor. According to this book, there is a literal biologically built mechanical water wheel in the cell. Protons fall through a hole above the mechanical water wheel, and they turn the wheel. At the other end of the wheel is another wheel that picks up a phosphate molecule, smooshes it together with ADP diphosphate, two phosphates, to create ATP triphosphate. And that is happening. Okay, so here's the figures you have. And guess how many mitochondria you've got inside you? First of all, have a guess. A gazillion. No, come on, that's not even a number.
GRAHAM CLULEY. Well, it is. 30,000.
GEOFF WHITE. Oh God, what? No, higher than that.
GRAHAM CLULEY. 100,000. A million. Higher? This is— what are you, Bruce Forsyth? Play your cards right.
CAROLE THERIAULT. A billion billion billion.
GEOFF WHITE. It's close. It's a quadrillion. It's a thousand trillion mitochondria that you have inside your body right now.
CAROLE THERIAULT. So I was right the first time.
GEOFF WHITE. That is two football fields. And those little protons that I talked about that go through—
GRAHAM CLULEY. Hang on, what do you mean is two football fields? What does that mean?
GEOFF WHITE. Well, if you— if it's a surface area of two foot— so if you unfolded them all out, out and put them side by side flat. See, that's—
CAROLE THERIAULT. so that's why some of us are more robustly shaped than others, because we have more mitochondria?
GEOFF WHITE. It's true, you're bulging with mitochondria. That's my issue. Those protons that power the water wheel, you've got a billion quadrillion of those.
GRAHAM CLULEY. I thought I was just big-boned. In fact, it's all water wheels.
CAROLE THERIAULT. You see, this is what lock-in does to people, right? It lets you really dive into the things that entertain you. I think this is cool.
GRAHAM CLULEY. So it's A New Map of Wonders by Caspar Henderson, and you've got this in the crazy format of a genuine paper book.
GEOFF WHITE. Yes, I literally thumbed through it with my actual physical fingers.
CAROLE THERIAULT. I was just thinking, you know, fuck you, Geoff, because we can't actually order stuff now that's non-essential. I don't think this counts.
GRAHAM CLULEY. So, uh, I think Amazon will bring pretty much anything to you still. Oh really? I think so, yeah.
CAROLE THERIAULT. Just because it can doesn't mean it should.
GRAHAM CLULEY. Crow, please take us away from here. What's your pick of the week?
CAROLE THERIAULT. We've been playing this game. This is what we've been doing for fun of an evening, being trapped indoors for many, many days. So here you go. There is a link. I want you to guess that song. It's 8-bit. It's 8-bit. So you get to play. You get to play the 8-bit Guess That That song game, it's Revolution by the Beatles. Yes, and it's okay. So if you go to their playlist—
GRAHAM CLULEY. so this is a YouTube channel, 8-Bit Universe?
CAROLE THERIAULT. Yeah, 8-Bit Universe YouTube channel. If you go to their playlist, they have their first one, it's like 8-bit without vocals, which is the one that I think is the one you should play. And they have like 2,000 songs and you just can race through those, and there's stuff for everybody.
GRAHAM CLULEY. So how are these made? Is it that someone has programmed them, or do they have some program which takes a piece of music or maybe the MIDI of the music, and then makes it 8-bit retro style. I imagine, considering how many they have here—
CAROLE THERIAULT. I mean, they have a lot of subscribers as well, right? But they have 2,700 songs just in this one playlist.
GRAHAM CLULEY. Oh, they've got a huge playlist, haven't they?
GEOFF WHITE. Oh, this is brilliant. This is good. Yes, this is the rest of the week for me. Oh yeah, yeah, fantastic. You're welcome, Geoff.
CAROLE THERIAULT. Listeners, you are welcome. The link is in the show notes. This is a YouTube channel by 8-Bit Universe. Of course, check out Play That Game, guess that song.
GRAHAM CLULEY. And on that note, it just about wraps it up. Geoff, I'm sure lots of our listeners would love to follow you online. What is the best way for folks to do that, or indeed to tell you about that WhatsApp bizarre message spreading around? Yes, the audio message, the Dr.
GEOFF WHITE. Negron hoax. I am Geoff White 247, Geoff with a G, white like the color, and then the numbers 247 on Twitter. That's the best way.
GRAHAM CLULEY. Cool. And you can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G. And you can also join our Reddit subreddit, uh, just search for Smashing Security up there.
CAROLE THERIAULT. Mega, mega thank you guys for listening to us and supporting us, especially during a viral pandemic. Huge, huge thank you as well to this week's Smashing Security sponsor, LastPass. It is continued support like this that helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio!
CAROLE THERIAULT. Bye!
GEOFF WHITE. Bye!
CAROLE THERIAULT. Before you go, before you go, how clean are your houses? No one's coming over. Are you leaving your gross old pants on the floor and no one cares, or are you kind of— Just wearing pants.
GRAHAM CLULEY. We're working from home. Oh God, the image, the image.
-- TRANSCRIPT ENDS --